The prosecutions tied to this investigation have been interesting, to say the least. The FBI's short run as child porn site hosts received a judicial shrug -- something courts have done in the past when confronted with disturbing government behavior in service of combating crime. These have also led to the government arguing -- and the court echoing -- that Tor users have no expectation of privacy, as sooner or later, everything comes down to an IP address.

The warrant itself is slightly redacted, but that's hardly a surprise. More surprising is the fact that it has been released at all, as the FBI usually argues for the sealing of documents related to its investigations, especially in cases where law enforcement tech and methods are discussed.

As far as the details contained within, most of what's known about the FBI's NIT has already been discussed. As Motherboard's Joseph Cox points out, there are a few interesting aspects to the warrant request. For one, it makes it clear the FBI will be running a child porn site for the duration of the "search."

“While the TARGET WEBSITE operates at a government facility, such request data associated with a user's actions on the TARGET WEBSITE will be collected,” the affidavit, signed by Douglas Macfarlane, an FBI special agent, reads.

While the document claims the FBI has no other way to ascertain the IP addresses and locations of users connecting to the website, it also goes light on the details of what it plans to do. The NIT is discussed in terms of what it's capable of gathering, but goes very, very light on technical details. Nowhere in the document does the FBI refer to its NIT in terms more applicable to its function, like "malware," "spyware" or "hacking." The FBI describes its NIT this way:

In the normal course of operation, websites send content to visitors. A user's computer downloads that content and uses it to display web pages on the user's computer. Under the NIT authorized by this warrant, the TARGET WEBSITE, which will be located in Newington, Virginia, in the Eastern District of Virginia, would augment that content with additional computer instructions. When a user's computer successfully downloads those instructions from the TARGET WEB SITE..., the instructions, which comprise the NIT, are designed to cause the user's "activating" computer to transmit certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information. The NIT will not deny the user of the "activating" computer access to any data or functionality of the user's computer.

This lack of details could be problematic.

Critics are worried that the language of NIT applications is too vague for judges to grasp what exactly it is they are authorizing; the words "malware" or "hacking" are never used, for example. (Magistrate Judge Theresa C. Buchanan, who signed off on the NIT, has repeatedly declined to answer questions from Motherboard.) The NIT was used to access computers in the US, Greece, Chile, and likely elsewhere.

Speaking of foreign nations, the FBI apparently had some outside assistance in this case.

In December of 2014, a foreign law enforcement agency advised the FBI that it suspected IP address 192.198.81.106 , which is a US-based IP address, to be associated with the TARGET WEBSITE. A publicly available website provided information that the IP Address 192.198.81.106 was owned by [REDACTED] a server hosting company headquartered at [REDACTED] Through further investigation, FBI verified that the TARGET WEBSITE was hosted from the previously referenced IP address. [...] Further investigation has identified a resident of Naples, FL, as the suspected administrator of the TARGET WEBSITE, who has administrative control over the computer server in Lenoir, NC, that hosts the TARGET WEBSITE.

The fact that documents from sealed cases related to the FBI's Playpen investigation are being released publicly shows that even opposed forces can sometimes arrive at the same plan of actions, even if their motivations are completely different.

In Washington, the lawyer for a defendant captured with the assistance of the FBI's NIT is hoping to put the FBI's apparent overreach on display by requesting the unsealing of documents. The FBI, on the other hand, isn't putting up much of a fight to keep these sealed. The affidavit in this related case contains graphic descriptions of child porn images found on the site. People who generally don't believe the ends justifies the means often make exceptions for more heinous criminal activity like this. The public outing of sealed docs could persuade fence-sitters to come down on the side of the FBI, even if the agency's use of NITs is hardly limited to cases involving crime the public overwhelmingly finds completely repugnant.

from the IP-addresses-all-the-way-down dept

When is a reasonable expectation of privacy unreasonable? When the government says it is.

In this month alone, we've had two federal judges and the DOJ state that there's no expectation of privacy in IP addresses. This would normally be something covered by the Third Party Doctrine -- where an IP address is part of the records retained by ISPs, and therefore, can be accessed with subpoenas rather than warrants.

The twist, though, is that all of these statements were made in reference to people who made an active effort to obscure their IP addresses by using Tor.

On February 1st, the judge presiding over the Jay Michaud case -- the one where the FBI (for the second time in recent history) ran a child porn website for two weeks in order to gather evidence on visitors to the site -- stated that Tor users had no reasonable expectation of privacy, despite their privacy-protecting efforts. Michaud was challenging the FBI's use of a standard warrant to deploy its NIT (Network Investigative Technique) -- a piece of malware that gathered information about computers connecting to the child porn website.

US district judge Robert J. Bryan denied the motion, noting that while the warrant technically violated the rule, a higher court's interpretation provides an exception for when the information sought could have been discovered by “other lawful means."

To prove this, the judge bizarrely argued that Tor doesn't give its users complete anonymity because a user has to give their IP address to their Internet Service Provider to connect to the Tor network. Therefore, he concluded, Michaud's IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.”

In doing this, the judge agreed with the assertions the DOJ made in its earlier motion. The DOJ claimed Michaud's IP address was something he shared with third parties -- despite his use of Tor -- and was info the government would have eventually discovered one way or another, even without the use of its controversial hacking tool.

“[E]ven if a defendant wants to seek to hide his Internet Protocol address through the use of Tor, that does not cloak the IP address with an expectation of privacy,” the government wrote, in a statement very similar to the opinion later written by Judge Bryan. “While Michaud may have a reasonable expectation of privacy in stored information contained on his computer, he lacks a reasonable expectation of privacy in IP address information that belongs to an internet service provider and that is voluntarily shared with others in the course of Internet communications.”

The interesting thing about this assertion is that Michaud voluntarily shared his IP address with others. It would seem fairly obvious there was nothing "voluntary" about this exposure. While it's true that IP addresses are "shared" with Tor when connecting, that information is stripped from communications as they travel through the Tor network.

The government argued the NIT merely rerouted this information to the FBI before Tor stripped it. Michaud apparently should have known his use of a privacy-protecting network would perhaps expose his IP address to others, including the FBI.

But as Tor itself states, without intervention from other parties, this information would not be collected by Tor, nor passed along its network.

It is clear that the court does not understand how the Tor network works. The entire purpose of the network is to enable users to communicate privately and securely. While it is true that users "disclose information, including their IP addresses, to unknown individuals running Tor nodes," that information gets stripped from messages as they pass through Tor's private network pathways.

This statement is in response to another judge's declaration that people who utilize additional privacy protections when browsing the web still have no expectation of privacy in their IP addresses. This nearly-identical assertion was made by the judge presiding over the Silk Road 2.0 prosecution of Brian Farrell. In this case, the Defense Department (home of the NSA!) paid Carnegie Mellon researchers to attack the Tor network in order to expose identifying info about its users. The FBI followed along behind the DoD, firing off subpoenas to obtain this newly-discovered information.

From the record, it appears the only information passed on to law enforcement about the defendant was his IP address. There is nothing presented by the defense, other than rank speculation, that anything more was obtained by SEI and provided to law enforcement to identify the defendant.

The Court agrees with the government that applicable Ninth Circuit authority precludes the defendant’s success on his motion. SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. The Court reaches this conclusion primarily upon reliance on United States v. Forrester, 512 F.2d 500 (9th Cir. 2007). In Forrester, the court clearly enunciated that: “Internet users have no expectation of privacy in …the IP address of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.”

The court goes on to say it's too bad Tor users expected more protection from the service, but their expectations are not "reasonable" under the Fourth Amendment.

In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

A subjective expectation of privacy is in no way comparable to the historic view of the objective, reasonable expectation of privacy. Tor users may be taking extra steps to obscure their IP addresses, but two court rulings clearly state the judicial system won't be granting them any "extra" protection from government subpoenas. In fact, these rulings simply make it easier for the government to defend the intrusive techniques it deploys to unmask Tor users by declaring that, underneath it all, it's all about IP addresses, rather than users taking proactive steps to better protect their privacy. It's not quite a blank check for hacking, but it's close. As long as the target is information not historically awarded Fourth Amendment protections, courts will be hard-pressed to question the means used to achieve these ends.

from the you-can-browse-privately,-just-don't-expect-your-privacy-to-hold-up-in-court dept

Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.

Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.

Included in the information handed over to Farrell's legal representative was the following:

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.

Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation was false.

Three months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.

[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."

Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.

“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.

So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.

from the privacy-shouldn't-be-considered-inherently-suspicious dept

New Hampshire state legislators have introduced a new bill that allows public libraries to run privacy software like Tor.

The bill, crafted by State Rep. Keith Ammon (R) and sponsored by six other lawmakers, emphasizes the role that encryption and privacy tools will play in upholding the long tradition of privacy in public libraries.

“Public libraries ... have upheld and protected patron privacy as one of their core values since 1939,” the bill reads. “In a library (physical or virtual), the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.”

Libraries have occasionally been the frontline for privacy skirmishes. "Warrant canaries" are a library creation. In the case of the Kilton Public Library, the DHS stepped in and demanded the Tor relay it was running for use by patrons be shut down. The library fought back, eventually forcing the DHS to back down.

To prevent this sort of thing from happening again, Ammon's bill would grant libraries the right to run Tor relays and other software to protect users' anonymity.

Public libraries may allow the installation and use of cryptographic privacy platforms on public library computers for library patrons use. Cryptographic privacy software shall include Tor or other privacy software that encrypts user's information to protect it from surveillance or collection. Public libraries may also support infrastructure for cryptographic software that helps to promote a free and open Internet, such as running Tor relays. Public libraries shall not give records relative to use of cryptographic privacy software to a government agency without first providing written notice to the person in question.

This is likely to run into law enforcement opposition, even though there have been very few prosecutions linked to abuse of public library computers.

The use of a Tor browser is not, in and of itself, illegal. There are legitimate purposes for its use. Originally designed, implemented and deployed by [the] United States Naval Research Laboratory, Tor affords users a way to share information over public networks without compromising their privacy. However, the protections that Tor offers can be attractive to criminal enterprises or actors and HSI will continue to pursue those individuals who seek to use the anonymizing technology to further their illicit activity.

In fact, as Ars Technica's Cyrus Farivar pointed out on Twitter, the DHS is still holding onto some bitterness from being shouted down by a tiny public library.

Emails related to the DHS's shutdown on the relay contained this derisive statement about Alison Macrina -- one of the leaders of the "Tor relay in every library" project:

Just terrific…… that kid seems to be thinking an inch past the end of her nose

This isn't likely to be the end of government efforts to shut down the use of encryption/anonymization software by publicly-accessible entities. But, if the legislation passes intact, future battles will be fought somewhere other than New Hampshire.

from the a-new-form-of-file-sharing dept

In California, the FBI is hoping to force Apple to write a hacking tool for it so it can access the contents of an iPhone. Further up the coast in Washington, the compelling force is moving in the opposite direction. The attorney representing a man swept up during the FBI's two-week stint as sysadmins for a child porn server has just had a motion granted that would force the agency to turn over details on the hacking tool it deployed.

A judge has ordered the FBI to reveal the complete code for its Tor exploit to defense lawyers in a child porn case. pic.twitter.com/AZ8QYgGwKe

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he continued.

While the defense will likely see the code -- provided the FBI can't argue its way out of disclosing its methods -- it's highly likely the general public won't have access to these details. The docket is littered with documents sealed at the request of the FBI. Fortunately, there are also a few motions by Michaud's lawyer to unseal documents, so there's still a small chance information on the FBI's NIT (Network Investigative Technique) will make its way in the public domain. If so, it will probably be heavily-redacted, but it should still provide a small peek into the FBI's hacking efforts.

Cox also points out that the FBI has already turned over some of its NIT code, but what the defense received was missing several key elements.

Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery.

However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer.

The only other new document of import in the case is a sworn declaration from Special Agent Daniel Alfin, which claims the FBI has already handed over everything it should have to.

The NIT computer instructions provided to the defense on January 11, 2016, comprise the only "payload" executed on Michaud's computer as part of the FBI investigation resulting in his arrest and indictment in this case. Accordingly, the defense has been given access to the only "payload" as that term is used by the defense in its Third Motion to Compel, accompanying Declaration.

But the declaration also notes the FBI has more information it could "share" with the defense.

The government has advised the defense that it is willing to make available for its review the two-way network data stream showing the data sent back-and-forth between Michaud's computer and the government-controlled computer as a result of the execution of the NIT.

It also points out that at no time did images travel from Michaud's computer to an FBI-owned computer or vice versa. Agent Alfin also avers that once the investigation concluded, the FBI no longer had access to Michaud's computer.

Considering the judge has already given the FBI a pass for running a child porn website for two weeks, it seems unlikely the court will find anything about the NIT to be the basis for tossing evidence. There may be some issues troubling the outer reaches of the Fourth Amendment, but courts have historically forgiven questionable law enforcement behavior that serves a "compelling public interest" -- and it's hard to find a more "compelling" interest than fighting child pornography.

from the 'we-just-need-to-coughcompromiseabunchofcomputerscough.-please-sign-here. dept

In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

The FBI appears to have exploited flaws in the Tor browser to use a seized server as a honeypot for its child pornography investigations. Rather than take a seized server offline, the FBI kept it running, using it to gather a wealth of information from anyone who attempted to create an account.

[T]he FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

The specifics of the hacking tool are unknown, but it intercepted a large amount of device-specific data, including the operating system used, Host Name, username, MAC address and whether or not a particular computer had previously been compromised by the FBI's hacking tool.

All told, the FBI gathered information on more than 1,300 Playpen users during this two-week span. The documents state the FBI now has over a thousand "true IP addresses" in its possession -- which isn't nearly the same thing as having positively ID'ed several hundred individuals. And, while it's difficult to complain about efforts made to take down child pornographers, it's highly likely the warrant was obtained from a judge who had no idea what she was authorizing.

Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia, who signed the warrant used for the NIT, did not respond to questions on whether she understood that the warrant would grant the power to hack anyone who signed up to Playpen, or whether she consulted technical experts before signing it, and her office said not to expect a reply.

The ACLU's Chris Soghoian says the DOJ seeks NIT authorization using "very vague" wording that obscures the methods deployed and the scope of surveillance effort. Federal public defender Colin Fieman, who is already handling several cases tied to the FBI's takeover of the Playpen server, says the warrant is a surveillance blank check.

Fieman said that the warrant “effectively authorizes an unlimited number of searches, against unidentified targets, anywhere in the world.”

This is the power the FBI desires. The DOJ is pushing for an update to existing statutes that would grant the FBI permission to do exactly this. It has already demonstrated its willingness to treat servers in foreign countries as unprotected territory where it can do as it wishes. With the warrant it obtained here, the FBI is treating domestic computers with the same lack of concern. Thanks to its obfuscatory warrant applications, it's being granted this power by judges who have no idea what they're dealing with or have been misled by the agency's creative phrasing.

from the that-proposed-encryption-ban,-tho dept

The French government has issued a statement indicating it will not be participating in the nation's law enforcement agencies' perversely masturbatorial power fantasies. A few days ago, Le Monde published a few "highlights" from a law enforcement "wishlist," crafted in response to the terrorist attacks in Paris.

Among the many, many things law enforcement jotted down in response to a call for input on future terrorist-related legislation was a ban on public WiFi, Tor connections and encrypted communications. This was in addition to requests for warrantless/consent-less searches of people and vehicles, and the power to arbitrarily set up roadblocks for the purposes of executing even more warrantless/consent-less searches of people and vehicles.

A ban on Wifi internet access will not be introduced as part of new security measures in response to the Paris attacks in November, the Prime Minister has said.

There also appears to be no government interest in banning Tor connections, although this was stated a little less firmly. And the whole "demand encryption keys from third parties" request goes entirely unaddressed, suggesting the French government still has an eye on inserting itself into encrypted relationships as a "trusted partner."

Interestingly, Prime Minister Manual Valls appears to have not seen the same document Le Monde did.

The prime minister denied any knowledge of such police requests, adding: "Internet is a freedom, is an extraordinary means of communication between people, it is a benefit to the economy."

Mr Valls said he understood the security services' need for tough measures to fight terrorism but stressed that those measures had to be "effective".

This could be taken to mean that the law enforcement wishlist compiled by the police liaison office isn't viewed as an "official" request in any way, shape or form -- that it may as well have been drunken scrawls on the back of a cocktail napkin as far as the Prime Minister is concerned. It could also mean the Prime Minister isn't yet willing to go on record as to the numerous other, unaddressed requests made by law enforcement, most of which deal with the terrestial realm, rather than the more ethereal 'net.

France is still under a state of emergency, which has already given law enforcement increased discretionary powers. The government will likely move forward with harmful legislation because that's what governments tend to do in response to violent attacks. But, for now, it appears law enforcement will have to make do with the arbitrary house arrests and warrantless searches it's already engaging in.

from the the-War-on-Citizens dept

More bad news for French citizens. Not only were they recently attacked by terrorists, but now their government is using these attacks against them to strip away civil liberties and shift more power to police and intelligence agencies.

That's only the beginning of the wishlist. The document is not, by any means, a formal presentation of future legislative issues, but rather the equivalent of an open "suggestion" box, which has now been filled with terrible ideas by law enforcement agencies. How seriously French legislators take these suggestions won't be seen until early next year when the legislature reconvenes.

Forcing those on the receiving end of administrative searches to give up DNA samples

From that point, law enforcement starts asking for more ways to control communications.

Banning open WiFi connections during a state of emergency.

It's unclear whether they're looking for a preemptive ban or simply a kill switch. Either way, the state of emergency in France has been extended, and may never truly go away. If so, the ban/kill would be as permanent as the state of emergency itself. Open or shared connections would be subject to criminal sanctions.

Back in the physical realm, police also want the power to shut down roads to search for vehicles -- again with little to no legal justification. They also want a centralized database containing information on anyone renting hotel rooms or vehicles.

As Le Monde notes, some of the requests fall outside of the realm of possibility and several fall outside the constraints of France's constitution. But the latter is definitely malleable. The government can't do anything about the impossible but it can use the current state of emergency to carve more holes in the rights of its citizens.

How seriously these requests will be taken remains to be seen. The post-terrorist attack spitballing by law enforcement agencies almost reaches the point of self-parody. Le Monde snarkily notes that it's not sure if this wishlist was meant for legislators or for "Santa." But it also notes that the expanded-government-power Santa may actually be presiding over this wishlist, unfortunately.

Santa has a new name: State of Emergency.

Whether or not any of this makes its way into actual law, it still clearly documents the law enforcement mindset -- one that never stops looking for ways to expand its own power at the expense of the citizens it's supposed to serve.

from the trust-no-one dept

Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong. Last month, Tor then dropped a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.

Both the FBI and the university continue to deny the claims, for whatever that's worth:

“The allegation that we paid CMU $1 million is inaccurate,” said a FBI spokesperson.

Meaning, if you're familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.

Regardless, Hill's new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn't the developers' finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:

"I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone... "It didn’t occur to me that they would run the attack in the wild on random users," said Mathewson. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn’t seem to me like a deep threat."

Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon -- which targeted the Darkode black marketplace. And the markets are still reeling. Though it's always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they're trying to implement upgrades that will make their drug bazaars more secure.

But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon's Institutional Review Board sets a disgusting precedent for the security community:

"There’s an argument that this attack hurts all of the bad users of Tor so it’s a good thing,” said Mathewson. “But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects."

For what it's worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a "new cryptographic trick" that will allow a hidden services directory to send Tor users to a hidden site -- without the directory knowing where it's sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they're no longer "extending security researchers the benefit of the doubt on anything." Good idea.

The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor's $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we're left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?

from the fud-fud-fuddy-fud-fud dept

Did you hear that story about how ISIS is so sophisticated with encryption that they have a special "opsec" manual on computer security protocols? You might have, because last week it was all over the internet. Yahoo kicked it off with a story, claiming it was the secret manual ISIS "uses to teach its soldiers about encryption." Wired followed up with its own story, as did The Telegraph. The "manual" was "discovered" by analysts at the Combating Terrorism Center, based out of the US Military Academy at West Point. Thankfully, Buzzfeed has the details, noting that the guide, created by a cybersecurity firm in Kuwait, named Cyberkov, is actually a guide for journalists and activists to protect their communications from oppressive governments. And there's nothing particularly secret about it, as apparently it's basically just repurposed stuff from the EFF's website:

“Our guide is based on publicly available tools, instructions and best practices. The guidelines in our manual are sourced from the EFF [Electronic Frontier Foundation] and other sources of privacy organizations,” wrote CyberKov CEO Abdullah AlAli to BuzzFeed News in an email. He said his organization had no idea its guide had been repurposed by ISIS. He was surprised to see it cited in articles, many of which have been updated since they were originally posted to note the document’s origin, and “even more shocked to see the Combating Terrorism Center at West Point simply Google-Translated it and claimed it as ISIS’s.”

Now, it does appear that some folks in ISIS may have sent around versions of the guide, but it sort of undermines the idea that they had created their own special set of guidelines to avoid being tracked, when all they're doing is picking up publicly available information on security best practices.